Typical Sequence of FRCS Design and Construction Activities

An example sequence and duration of FRCS activities during design and construction is outlined in Table 1.

Table 1 Typical Sequence of FRCS Design and Construction Activities

Activity / Lead New Project Renovation Project Typical Duration
Presolicitation RFP Considerations

Obtain the Regional and ESTCP Platform Enclaves catogorization and categorize the FRCS

Use the EI&E FRCS Master Control List for C-I-A Values and Information/Data Types

Obtain the Regional and local Platform Enclaves catogorization and categorize the FRCS

Use the EI&E FRCS Master Control List for C-I-A Values and Information/Data Types

NA

Design

  • Basis of Design
  • Concept Design (10-15%)
  • Design Development (35-50%)
  • Pre-Final (90%)
  • Final (100%)

Lead: A/E

Documents/Models/Tools:

  • Construction Design Documents / Building Information Model (BIM) / CAD
  • CSET
  • GrassMarlin
  • Draft Baseline System Security Plan (SSP)
  • IT Contingency Plan and CONOPS (ITCP)

FRCS front end or new susbsystem back end to connect to front end

Confirm/revise system categorization, define network architecture, system components, concept of operations, drawings, and specifications.

At 90% design create initial SSP and baseline security risk assessment.

FRCS front end upgrade or subsystem modernization

Confirm/revise system categorization, define network architecture, system components, concept of operations, drawings, and specifications.

At 90% design create initial SSP and baseline security risk assessment.

3-6 Months

Construction

Test and Development (T&D) and Patch Management Environments (Virtual or Physical)

Lead: Construction/System Integrator

Documents/Models/Tools:

  • VM
  • Kali Linux
  • SamuraiSTFU
Conduct FRCS build and patch activities without impacting the organization’s production systems (test and development  environment typically provided by vendor). Validate and verify the upgrade/modernization/ patch is ready to support the additional systems without impacting the organization’s production systems (test and development environment typically provided by vendor). 4 – 6 weeks

Construction

Build/Configure Servers

Build and/or configure servers to properly operate the FRCS solution. Build and/or configure servers to properly operate the FRCS solution. 1 – 2 weeks

Construction

Install Supporting Software

Lead: Construction/System Integrator

Install supporting software on FRCS servers. Install supporting software on FRCS servers. 1 – 2 weeks

Construction

Configure Supporting Software

Lead: Construction/System Integrator

Documents/Models/Tools:

  • STIGS
  • SCAP
  • Continuous Monitoring
  • Kali Linux
  • SamuraiSTFU
  • FAT/SAT Checklist
  • Penetration Testing Scope and ROE (if required)
  • Jump-Kit Rescue CD
Configure FRCS software to meet unique needs.  After the operating system is loaded, apply hardening criteria (STIGs), run Security Content Automated Protocol (SCAP)-validated tool, perform factory acceptance testing (FAT) on major system components and devices, perform initial penetration testing. Configure FRCS software to meet unique needs.  After the operating system is loaded, apply hardening criteria (STIGS), run Security Content Automated Protocol (SCAP)-validated tool, perform FAT on major system components and devices, perform initial penetration testing.

1 – 2 weeks

NOTE: If a vendor will be creating a STIG for the UMCS Front-End or lower Level devices, this process can take several months to a year.

Apply STIGS to the PE and isolate lower Levels until vendor STIGS are approved.

Construction

Implement and assess security controls

Lead: construction/system integrator

Documents/Models/Tools:

  • CSET
  • SSP
  • Security Assessment Report (SAR)
  • Plan of Action & Milestones (POAM)
  • ITCP
  • Event/Incident Communications Procedures (EICP)
  • Security Incident Response Procedures (SIRP)
  • Penetration Testing Scope, ROE, Checklist (if required)
  • Jump-Kit Rescue CD
Conduct RMF Steps 3 and 4 by applying controls identified during the requirements and design phase, by assessing the adequacy and effectiveness of security controls, and by documenting findings in the security assessment report.  Create draft approval package. Conduct RMF Steps 3 and 4 by applying controls identified during the requirements and design phase, by assessing the adequacy and effectiveness of security controls, and by documenting findings in the security assessment report.  Create draft approval package. 12 – 20 weeks

Conduct testing on initial build

Lead: construction/system integrator

Documents/Models/Tools:

  • Kali Linux
  • SamuraiSTFU
Test FRCS solution in a test and development environment to ensure system errors are found, corrected before solution is deployed on network. Test FRCS solution in a test and development environment to ensure system errors are found,  corrected before solution is deployed on network. 2 – 4 weeks

Construction - conduct pilot implementation deployment

Lead: construction/system integrator

Documents/Models/Tools:

  • Kali Linux
  • SamuraiSTFU
  • OIT IT Repository
    • Penetration Testing Scope, ROE, Checklist (if required)
    • Jump-Kit Rescue CD
Pilot implementation of  FRCS solution on a small subset of user base to evaluate solution against real-world requirements. Conduct site acceptance testing, and if required final penetration testing, and create final approval package. Conduct site acceptance testing, and if required  final penetration testing, and create final approval package. Varies with size of deployment (number of facilities and interconnections)

Receive Authorization (ATO) and move to production

Lead: construction/system integrator

Documents/Models/Tools:

  • OIT IT Repository
    • Continuous Monitoring tools
    • Jump-Kit Rescue CD
Deploy the FRCS to full production and implement continuous monitoring. Deploy the FRCS to full production and extend continuous monitoring to new systems. NA
Product List by Product and Date Posted
Product Date Posted

GrassMarlin

Software

The GrassMarlin can be used by any organization and is a passive network and discovery tool that identifies control system components and devices and creates a network architecture diagram and inventory which can be imported into the CSET or Visio tools

Nov 2017

Kali

Software

Kali is a COTS product (free) can be used by any organization and is a penetration testing tool. Any organization can use the tool to perform the full range of traditional IT penetration tests, and it also now has several OT penetration testing capabilities. The tool runs on VMWare.

Nov 2017

SamuraiSTFU

Software

Kali is a COTS product (free) can be used by any organization and is a penetration testing tool. Any organization can use the tool to perform the full range of traditional IT penetration tests, but Samurai is specifically design for OT penetration testing capabilities in support of the EPRI Smart Grid and Smart Meter Penetration Testing Guides. The tool runs on VMWare.

Nov 2017

VMWare Workstation Player

Software

Workstation Player is a COTS product (free and purchase versions) can be used by any organization as a virtual machine. The Kali and SamuraiSTFU tools run on a VM.

Nov 2017

DHS ICS-CERT Cyber Security Evaluation Tool (CSET)

Software
test_dev_1

CSET is a free tool that can be used by any organization and has the DoD RMF process built-in to create the network architecture diagram, has a plug-in to import GrassMarlin network discovery and inventory files, and creates a Security Plan. 

May 2018
Share